Vault and the Heartbleed bug

Is Vault affected by the Heartbleed Open SSL bug?

The only version of Vault that uses the affected version of OpenSSL is Vault 7.0

Note that OpenSSL is turned off by default in Vault, so even if you are using Vault 7.0 you will only be affected by the Heartbleed bug if you have actually enabled OpenSSL in Vault 7.0.

Vault version 7.0M1p0000 is on available by request.  It patches OpenSSL to version 1.0.1g, eliminating the bug.

This is the same code base as 7.0M0p0008 with the open-ssl library updated to 1.0.1g to address the Heart Bleed vulnerability. We have validated that secure sockets communications still work as expected.
There is also a patch available that can be used to replace the open-ssl 1.0.1e version that was part of Vault 7.0M0 versions. To replace, you should shut down Vault, overwrite the appropriate file in the Vault/lib (or Vault\lib) directory and restart Vault.  The open-ssl 1.0.1g library are
UPDATED:  September 18, 2017